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@ Encryption method and system. 

(57) The present invention provides a simple en- 
cryption method and system for encrypting data 
into a plurality of control and encrypted data 
blocks. The data to be encrypted is divided into 
data segments which can be of varying length. 
Each control block comprises the information 
necessary to decrypt the data contained in the 
encrypted data block, such as the encryption 
function and associated key used to encrypt a 
data segment, the start position of an encrypted 
data segment within the encrypted data block 
and the length of the encrypted data block. 
Both the control block and the encrypted data 
block are padded with random numbers and the 
start position of the encrypted data with the 
encrypted data block can vary. 
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Th pr sent invention r lates to a data ncryption method and system. 

Encryption systems and m thods have a wide range of applicability. For example, they are used in com- 
munication systems, such as cellular telephones or local area networks, wherein the data exchanged is con- 
fid ntial and it is desired to preserve the quality of confidence of the data. 

5 The effectiveness of an encryption system partly depends upon the complexity of the encryption method 

employed. Simple prior art encryption methods involve, for example, permuting the letters of the English al- 
phabet to form a permuted alphabet. Each letter of the data to be encrypted is substituted by a corresponding 
letter chosen from the permuted alphabet However, simple encryption methods are prone to being easy to 
decrypt by an unauthorised recipient of the encrypted data. Therefore, the complexity of encryption methods 

10 has increased over the years. 

As the complexity of encryption methods increases the time taken to encrypt and subsequently decrypt 
data also increases. It is desirable that the encryption time be kept low to increase the efficiency of, for ex- 
ample, a communication system employing the encryption method while retaining the high complexity of the 
encryption method. In order to compensate for increase in encryption time dedicated hardware is often used 

is to implement the encryption and decryption methods. US 5, 257, 282 discloses a high speed code sequence 
generator comprising a plurality of low speed shift registers which are algebraically combined and multiplexed 
to produce a high speed composite code sequence. Japanese PUPA 05-102960 discloses a cipher system in 
which a cipher rule is randomly selected at the beginning of each communication. The same selected cipher 
rule is used to encrypt data throughout the whole communication. US 5, 261, 003 discloses a data communi- 

20 cation system and method with data scrambling in which one of a plurality of keys is used for scrambling data. 
The key selected is dependent upon the input data to be scrambled. 

Other encryption methods exist, such as the Data Encryption Standard (DES), which again are implement- 
ed in special purpose hardware in order to achieve an acceptable processing time. However, DES has asso- 
ciated security restrictions which can limit its distribution. 

25 Therefore, the prior art lacks a simple encryption method which provides encrypted data which is difficult 

to decrypt by an unauthorised recipient and which also has a relatively short encryption and decryption time. 

Accordingly the present invention provides a method for encrypting data comprising a plurality of data seg- 
ments into a plurality of encrypted data blocks and associated control blocks, the method comprising the steps 
of, for each data segment, 

30 selecting one of a plurality of encryption functions, 

encrypting the data segment using the selected encryption function to form an encrypted data segment, 
producing an encrypted data block comprising the encrypted data segment, 

producing for the encrypted data block an associated control block comprising an indication of the encryption 
function used to encrypt the data. 

35 The use of multiple encryption techniques for the same data set makes unauthorised decryption very dif- 

ficult, even though the individual encryption techniques used are relatively simple and so can be computed 
very easily and quickly. Such an encryption process has wide applicability, for example in secure communi- 
cations, in the storage of classified material, and so on. 

To further enhance the security of the data, it is desirable to be able to select or alter the values of at least 

40 one out of the total length of the encrypted data block, the length of an encrypted data segment within an en- 
crypted data block, and the start position of an encrypted data segment within an encrypted data block (in the 
current embodiment the first of these is fixed, with the second and third being selected, but any combination 
could be selectable). Although such selections could be made according to a predetermined pattern, or some 
known parameter (eg the date), a preferred solution is to select these quantities on the basis of randomly gen- 

45 erated numbers (such selections would obviously need to meet restraints such that the length of the encrypted 
data segment is less than the length of the encrypted data block that contains it). 

If the starting position of the encrypted data can vary within the encrypted data block preferably the control 
block comprises an indication of the starting position of the encrypted data segment within the encrypted data 
block (although this information could be supplied by some separate mechanism). Likewise, the control block 

so may comprise an indication of the total length of the encrypted data block and the length of the data segment 
as appropriate. That is, if variable values are used for the length of the data segment, the length of the encrypted 
data block or the position of the encrypted data segment within the encrypt d data block, then those values 
are preferably included in the control bl ck. 

Most encryption functions utilise an ncryption key to encrypt data in conjuncti n with the encryption f unc- 

55 tion. In order to decrypt the code both the encryption function and the key must be known th reby providing 
great r security. Ther fore the present invention provides a m thod further comprising th step of s I cting 
an encryption key from a plurality of encryption keys for use with th s lected encryption function used to en- 
crypt the data segment 
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To avoid the need for the encryption keys to be xchanged between a supplier of encrypted data and the 
r cipientth reof in order t be ablet d crypt the encrypted data, it is desirable to provide an indication of the 
ncryptbn k y used t n crypt the data within the control block. 

A control block having a fixed format is more readily deciphered than a control block whose format varies 
5 with each data segment to be encrypted. 

Accordingly, it is possible to provide a method further comprising the step of selecting one of a plurality 
of predetermined control block formats and wherein a predetermined position of each control block further con- 
tains an indication of the predetermined format of the control block. 

The invention also provides a system for encrypting data comprising a plurality of data segments into a 
10 plurality of encrypted data blocks and associated control blocks, comprising: means for selecting for each data 
segment one of a plurality of encryption functions; means for encrypting for each data segment the data seg- 
ment using the selected encryption function to form an encrypted data segment; means for producing for each 
data segment an encrypted data block comprising the encrypted data segment; and means for producing for 
each data segment a control block associated with the encrypted data block comprising an indication of the 
15 encryption function used to encrypt the data. 

The invention further provides a method for decrypting data encrypted from a plurality of data segments 
into a plurality of encrypted data blocks and associated control blocks using a plurality of encryption functions, 
the method comprising the steps of: reading a control block and an associated encrypted data block; deter- 
mining an encryption function from the information in the control block used with the associated encrypted 
20 data block; and decrypting a data segment from the encrypted data block based on the determined encryption 
function. 

An embodiment of the present invention will now be described by way of example only with reference to 
the accompanying drawings in which: 

Figure 1 shows the data to be encrypted and a data segment before and after encryption, 
25 Figure 2 illustrates how different encryption functions are selected according to a random number, 

Figure 3 shows the data encrypted into a plurality of associated control blocks and encrypted data blocks 
and associated control blocks, 

Figure 4 shows a flow diagram illustrating the steps of an encryption method, 

Figure 5 illustrates how the format of the control block is selected according to a generated random number, 
30 Figure 6 shows a decryption flow diagram, 

Figure 7 shows schematically an encryption system, 

In figure 1 there is shown data (D) to be encrypted. The data is divided up into a plurality of data segments. 
The length of each data segment (DS) varies and is determined by a respective random number (L2) generated 
for each data segment. The encrypted data comprises a control block (CB) and an encrypted data block (EDB) 

35 for each data segment (DS). The encrypted data block (EDB) includes an encrypted data segment (EDS) (i.e. 
a segment that actually contains the original data segment in encrypted form). The control block (CB) com- 
prises a plurality of fields containing information concerning the format of the data bytes in the encrypted data 
block (EDB), in particular the encryption function (F) and encryption key (K) used to encrypt the data segment 
(DS) and an indication of the starting position (S) of the encrypted data segment (EDS) within the encrypted 

40 data block (EDB) which is chosen at random. The control block (CB) and the encrypted data block (EDB) are 
also padded with random numbers (X). 
The fields of the encrypted data are as follows: 
Li = the length of an encrypted data block (EDB), 

S = the start position of an encrypted data segment (EDS) within an encrypted data block, 
45 |_ 2 = the number of bytes in a data segment (DS) to be encrypted, 

F = an indication of the encryption function used to encrypt a data segment, 
K = an indication of the encryption key used to encrypt a data segment, 
EDS = an encrypted data segment, and 
X = random numbers. 

so The encryption function in conjunction with an encryption key translates each byte of the data segment 
into a corresponding encrypted byte and can be represented generally as EDS = F( K , D ) where EDS and K 
have the values indicated above and D is the data segment being encrypted. The mapping of D to EDS can 
be selected arbitrarily and do s not have to be performed on a byte by byt basis. 
Examples of suitable encryption functions are: 

55 1. EDS = K exclusive-or D, 

2. EDS = shift I f t D by K bits, 

3. EDS = re-arrange the order of the bits in D. 

Referring t figure 2, different encryption functions and encryption k ys s lected from th range of avail- 
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able encryption functions (Fi to F|) and ncryption k ys (K, to Kj) are us d to encrypt each data segment (DSt 
to DS n ). The encryption function used to ncrypt a data segment is determined by g nerating a first random 
numb r within a predet rmined range (1 to i) and mapping that random number to one of the encryption func- 
tions (F 1 to Fi). Similarly, the encryption key used t encrypt a data segment is determin d by selecting a sec- 
5 ond random number from a predetermined range (1 to j) and mapping that number to one of the encryption 
keys (Ki to Kj). Therefore, when each data segment (DSt to DS n ) has been encrypted the total encrypted code 
will comprise a plurality of encrypted data blocks (EDB, to EDB n ) and associated control blocks (CB, to CB n ) 
as illustrated in figure 3. 

There need not be a one to one mapping between the random numbers and the corresponding encryption 

10 functions or encryption keys. A particular range of random numbers can be mapped to the same encryption 
function or encryption key thereby reducing the number of encryption functions and encryption keys needed 
to implement an embodiment of the present invention as illustrated in Table 1 below. 

Referring to figure 4 there is shown flow diagram illustrating the steps of an encryption method according 
to the present invention. At step 400 a first random number is generated from a predetermined range to select 

15 the encryption function (Fi to F|) to be used to encrypt a data segment Step 410 generates a second random 
number from a second predetermined range to select the encryption key (K, to Kj) to be used with the selected 
encryption function to encrypt the data segment. A third random number (L t ) is generated within a predeter- 
mined range at step 420 to determine the total length (L^ of the encrypted data block (EDB). At step 430 a 
fourth random number (S) within a range determined by the third random number is generated which identifies 

20 the start position (S) of the encrypted data segment (EDS) within the encrypted data block (EDB). Finally, step 
440 generates a fifth random number (LJ within a range determined by the third (L^ and fourth (S) random 
numbers to determine the size of data segment to be encrypted. 

If space is limited it may be desirable to restrict the selection range for the fourth random number to 0 < 
S < L t /2 and the selection range for the fifth random number to ( - S )/2 < L 2 < L, - S, although any appropriate 

25 range can be selected. 

Step 450 obtains the next L 2 bytes of data, forming a data segment. Each byte of a data segment is en- 
crypted using the respective selected encryption function and selected encryption key at step 460. An encrypt- 
ed data segment is positioned in an encrypted data block beginning at a start position determined by a corre- 
sponding fourth random number at step 470. The generated random numbers (L 1f S, L 2 , F and K) are then 

30 placed in a control block according to a predetermined format The remaining fields of the control block and 
the encrypted data block are padded with random numbers (X) as illustrated in figure 1. 

Although the embodiment of the present invention described herein uses the same format control block 
for each encrypted data block, a varying format can equally well be used. In such a case, each format may be 
chosen from a plurality of control blocks formats {CB^ to CB,) by generating a sixth random number from a 

35 predetermined range which maps to one of the plurality of possible control block formats (CD 1 to CD^ as il- 
lustrated in figure 5 (L 1( S, L 2 , F and K have the same meaning as above). Each control block to CB,) 
would require a further field (C) to contain an identification of the particular format of the control block used. 
Using such a technique to vary the format of the control block further increases the difficulty of deciphering 
the contents of the control blocks and hence also increases the difficulty of decrypting the encrypted data 

40 segment. Alternatively, if a particular sequence of control block formats was established such that both the 
encryption and decryption methods conformed to that sequence, the information contained in the control block 
could be deciphered without the need to provide an indication therein of the particular control block format util- 
ised. 

Further, such a technique could be used to obviate the need to generate several random numbers and the 
45 need for separate control blocks and data blocks. A single random number could be used to identify the format 
of the encrypted data, the fields of the above control block and the encrypted data block being merged. Each 
field would contain a predetermined value representative of the format of the whole encrypted block. Encrypt- 
ing according to this technique would reduce the encryption time at the expense of initially generating the cor- 
responding encrypted data formats and associated values. However, the corresponding encrypted data for- 
so mats and values need only be generated once. 

Each encrypted data (ED) is written to a storage medium as a file of records for further processing or can 
be transmitted to an intended recipient using a local area network or other transmission medium. 

R ferring to figure 6 there is shown a d cryption ft w diagram, assuming th encrypted data is stored as 
a file of r cords. At step 600 the file containing the records of the encrypted data is open d. Step 61 0 retrieves 
55 the n xt record from the file. As the format of the control block is known, assuming an embodim nt having a 
fix d format control block, step 620 extracts the values L 1( S, t 2 , F and K from the contr I block. The values 
S and L 2 are used to identify the ncrypt d data segment (EDS) at step 630. Th values of F and K are used 
to decrypt the encrypted data segment (EDS) at st p 640 by mapping the value of F t a decryption function 
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which is the inverse f a corr sp nding encryption function together with th key (K). The steps 600 to 640 
are r peated for all records in the file (note that the value of L 1 can be us d to locate the control block for the 
subsequ nt data segment). 

Rath r than storing th contr I block and the encrypted data block together in the same record an em- 
bodiment of the invention can be realised in which they are stored separately. Each control block is stored as 
a record and the encrypted data blocks are stored in a separate file as contiguous bytes. Accordingly, when 
the decryption data is extracted from the control block, the next Li bytes are read from the file containing the 
encrypted data blocks. The L t bytes are then decrypted as above. 

Referring to figure 7 there is shown schematically an encryption system (ES) according to an embodiment 
of the present invention comprising a disc drive (DD) for storing a file (FF) containing the data (D) to be en- 
crypted; means (RNG) for generating at least five random numbers corresponding to the values L 1t S, L 2 , F 
and K; means (I) for reading the next available L 2 bytes, corresponding to the number of bytes in a data segment 
to be encrypted, from the file (FF); means (EF) for determining the encryption function to be used to encrypt 
the data; means (EK) for determining the encryption key to be used to encrypt the data; means (E) for encrypt- 
ing a data segment and producing the encrypted data comprising a control block (CB) and an encrypted data 
block (EDB) and means (O) for writing a record containing the encrypted data to an encrypted data file (EDF). 

Table 1 below shows the C language code which is used to implement an embodiment of the present in- 
vention. The C language code below can be executed on any computer which supports a C language envir- 
onment. A suitable computer would be, for example, an IBM Personal Computer PS/2. 
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TABLE 1 



(c) IBM Corporation 1994. All rights reserved. 



/* Record structure */ 



10 



15 



20 



typedet 
{ 

ULONG 
ULONG 



ULONG 
ULONG 
ULONG 
UCHAR 
BTREC; 



struct btrec 

funcnum; 
key; 

length; 
start 

cntrlblock[20] 
data[500] ; 



/* record */ 

/* Encode function number 0->none */ 
/* Key for function (N/A if no func) - max key 
value=64k-l */ 
/* 
/* 
/* 
/* 



Length of following data */ 

start position of the encrypted data */ 

control block */ 

Data */ 



} 

typedef BTREC FAR * PBTREC; 

/* Encryption and decryption functions 
#define ENCODEl(d,k) (UCHAR) (d ~ (UCHAR) k) 



#define ENCODE2 (d, k) 
#define ENCODE3 (d, k) 
#define DECODE1 (d, k) 
#define DECODE2 (d, k) 
#define DECODE3 (d, k) 



(UCHAR) ( (UCHAR) (~d) A (UCHAR) k) 
(UCHAR) (d * (UCHAR) -k) 
(UCHAR) (d ~ (UCHAR) k) 
(UCHAR) (-(UCHAR) (d A (UCHAR) k) ) 
(UCHAR) (d ~ (UCHAR) -k) 



25 



/* Name:NewKey */ 

/* Description: Returns a key to use in the translation */ 

USHORT NewKey(VOID) 
C 



USHORT key; 



/* Key V 



30 



35 



/* Work out the key from a random number */ 

key= (USHORT) rand( ) ; 
/* return random number */ 

return (key) ; 

} 

/* Name: NewFunc */ 

/* Description: Returns a function number to use in the translation */ 
ULONG NewFunc (VOID) 
{ 



ULONG func; 



/* Function number */ 



40 



45 



50 



55 
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/* Work out the function number from a random number */ 
f unc= (ULONG) rand ( ) ; 
. if (func<10000) func=l; 
else if (func<20000) func=2; 
5 else func=3; 

/* return the function number */ 
return (func) ; 

} 

/* Name: NewLength */ 

10 /* Description: Returns a random length between two bounds */ 
/* Input: Lower bound */ 

/* Upper bound */ 

/* Returns: Length */ 

SHORT NewLength (SHORT lower, SHORT upper) 
{ 



15 



20 



25 



30 



40 



45 



50 



) 



SHORT len; /* Length */ 

SHORT r; /* Random number */ 

SHORT i; /* Work variable */ 

/* Get a random number */ 
r= (SHORT) rand () ; 

/* Map it to the range and get the length */ 
j=MAX_RANDOM_NUMER/ (upper-lower+1) ; 
len=lower+r/ j ; 
return (len) ; * 



/* Name: FillStdData */ 

/* Description: Fill in the standard part of a data record, using 
random numbers to avoid patterns and select an 
encryption function and an encryption key. */ 

VOID FillStdData (PBTREC pbtrec) 

{ 

ULONG i; - /* Count */ 



/* Fill the standard part of the record with random numbers */ 
for(i=l; i<=500; i++) 

pbtrec->3ata[i]= (CHAR) rand () ; 
for(i=l; i<=20; i++) 

pbtrec->cntrlblock[i]= (ULONG) rand () ; 
35 pbtrec->start=0; 

pbtrec->length=NewLength(30, 100) ; /* assigns random no. in range 30 to 

100 */ 

pbtrec- >funcnum=NewFunc ( ) ; 
pbtrec- >key=NewKey ( ) ; 
return; 



} 

/* Name: StartPos V 

/* Description: Determines the start position of the data in data[] * 
VOID StartPos ( PBTREC pbtrec) 
{ 

/* select start position such that data fits into array, data[] V 
while (pbtrec->start>500-pbcrec->length) 

pbtrec->start= (ULONG) rand( ) ; 
return; 

} 

/* Name: ApplyFunc */ 

/* Description: Encode the data by applying the function and key and 

place in data[] at selected start position. */ 
/* Input: Pointer to record */ 

VOID ApplyFunc ( PBTREC pbtrec) 
{ 

ULONG i; /* Count */ 
55 /* Process according to the function number */ 
if { pbtrec ->funcnum==l) 
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for (i=0; i<pbtrec->length; i++) 

pbtrec->data [ i+pbtrec->start ] =ENC0DE1 (pbtrec->data [ i ] , pbtrec- >key ) ; 

else if (pbtrec->funcnum==2) 

for (i=0; i<pbtrec->length; i-t-+) 

pbtrec->data[i+pbtrec->start]=ENC0DE2 (pbtrec->data [ i] , pbtrec ->key) ; 

lse if (pbtrec->funcnum==3 II pbtrec->funcnum != 0) 

for (i=0; i<pbtrec->length; i++) 

pbtrec->data(i+pbtrec->start]=ENC0DE3 (pbtrec->data [i] ,pbtrec->key) ; 

return; 



/* Name: TxData */ 

/* Description: Transfer the control data into the control block */ 

VOID TxData (PBTREC pbtrec) 

i 

pbtrec->cntrlblock[l] =pbtrec->length; 
pbtrec->cntrlblock[4]=pbtrec->start; 
pbtrec ->cntrlblock [9] =pbtrec->funcnum; 
pbtrec - >cnt r lblock [ 15 ] =pbtrec - >key ; 
return ; 

) 



The record structure "btrec" describes the format of the information contained in the record containing the 
encrypted data. The control block, cntrlblock[ ], comprises a plurality of values from the following fields "f unc- 
num", "key", "length", "start" which correspond to F, K, L 2 and S above. The encrypted data block is represented 
30 by the array "data[500J" and therefore 1^ is fixed at 500 (therefore there is no need to store its value in the 
control block). As indicated above the invention is not limited to a fixed length encrypted data block and the 
code above can be readily modified to implement an embodiment having a variable length encrypted data 
block. 

The encryption and decryption functions are defined by the functions "ENCODE1", "ENCODE2", "EN- 
35 CODE3" and "DECODE1" "DECODE2" "DECODE3". It can be seen that the decryption functions are the in- 
verse of the encryption functions. ENCODE1 performs a bit-wise exclusive-or between a byte of data, d, and 
an encryption key, k, ENCODE2 performs a bit-wise exclusive-or between the one's complement of a byte of 
data, d, and an encryption key, k and ENCODE3 performs the a bit-wise exclusive-or between a byte of data, 
d, and the one's complement of an encryption key, k. The decryption functions "DECODE" perform the inverse 
40 of the "ENCODE" functions. The present invention is not limited to using the "ENCODE" and "DECODE" func- 
tions defined above and an embodiment can equally well be realised using other encryption and decryption 
functions. 

The function "NewKey" generates a new encryption key each time the function is called. In the embodi- 
ment described herein the key is a random number. 
45 The function "NewFunc" returns an indication of which encryption function is to be used for encrypting a 
data segment. One of three functions is selected according to the range within which a generated random num- 
ber falls. 

The function "NewLength" return a random number within a given range defined by "lower" and "upper". 
The function is used to determined the length of the data segment to be encoded by setting pbtrec->length to 
so the return value of the function. Note that in the present embodiment the length is restricted to a maximum 
value of 1 00, so that most of the encrypted data block is in fact padding. If space or bandwidth was more limited, 
the amount of padding could be greatly reduced (or even eliminated). 

The function "FillStdData" initialises the arrays cntrlblock[ ] and dataf ] with random numbers, sets the start 
position data to zero, s I cts the I ngth of th data segment and sei cts the ncryption function and k y to 
55 be used to encrypt the data s gment. 

The function "StartPos" generat s a random start position f rth ncrypted data s gm nt within the array 
datap] which is such that the encrypt d data segment will always fit into the data array, data[ ]. 

Th function "ApplyFunc" ncrypts the data segment by applying the selected encryption functi n and 
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key to each byte within the data s gment. According to the encryption function selected on of the three ■EN- 
CODE" functions is called, passing th data to be encrypted, datap], and the encryption key, pbtrec key, 
to that function. The encrypted data is stored in th data array, pbtrec -> data p + pbtrec -» start], of record 
btrec. 

5 The function TxData" transfers the control information into the array "cntrlblock[ ]" such that the control 

block has a fixed format. The control block and encrypted data block can then be transmitted to an intended 
recipient or stored for later processing as appropriate. Further, the control blocks and the encrypted data blocks 
can be stored or transmitted separately. 

Therefore the two arrays, cntrlblockj ] and data[ ], contain the encryption information and the encrypted 
10 data block respectively from which decryption can be effected. 

Although the embodiment of the present invention described herein uses encryption and decryption func- 
tions which operate on a byte at a time, the encryption and decryption functions may operate on several bytes 
at a time. 

Further, a plurality of separate data segments may be encrypted and stored in the same encryption data 
15 block, each having their respective encryption functions, key, start positions and lengths stored in the control 
block. 



Claims 

20 

1. A method for encrypting data comprising a plurality of data segments (DSt to DS n ) into a plurality of en- 
crypted data blocks (EDBi to EDB n ) and associated control blocks (CBi to CB n ), the method comprising 
the steps of, for each data segment, 

selecting one of a plurality of encryption functions (Fi to F|), 
25 encrypting the data segment using the selected encryption function to form an encrypted data seg- 

ment, 

producing an encrypted data block comprising the encrypted data segment, 
producing for the encrypted data block an associated control block comprising an indication of the 
encryption function used to encrypt the data. 

30 

2. A method as claimed in claim 1, further comprising the step of selecting the total length (L^) of the en- 
crypted data block for each data segment. 

3. A method as claimed in either of claims 1 or 2, further comprising the step of selecting the length of each 
35 encrypted data segment (L 2 ) within each encrypted data block. 

4. A method as claimed in any preceding claim, further comprising the step of selecting the starting position 
(S) of the encrypted data segment within the encrypted data block. 

40 5. A method as claimed in any of claims 2, 3 or 4, wherein the control block further comprises an indication 
of the total length of the encrypted data block, the length L 2 of the data encrypted segment or the starting 
position (S) of the encrypted data segment within the encrypted data block, as appropriate. 

6. Amethod as claimed in any of claims 2 to 5, wherein the total length (L0 of the encrypted data block, the 
45 length (LJ of the encrypted data segment, or the starting position (S) of the encrypted data segment within 

the encrypted data block is selected randomly. 

7. A method as claimed in any preceding claim, further comprising the step of filling the fields of the en- 
crypted data block which do not contain the encrypted data segment with random numbers (X). 

50 

8. A method as claimed in any preceding claim, further comprising the step of selecting an encryption key 
from a plurality of encryption keys {K, to Kj) for use with the selected encryption function. 

9. Amethod as claimed in claim 8, wh rein the control block includes an indication of the select d encryption 
55 key (K). 

10. A method as claimed in any preceding claim, wherein the control block further comprises random numbers 
(X) in the fields not occupied by other information. 
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11. A method as claimed in any preceding claim, further comprising the step of s lecting one of a plurality of 
pred t rmin d control block formats (CBi to CB t ) and wherein a predetermined position of each control 
block further contains an indication (C) of the predet rmined format of the control block. 

12. A system for encrypting data comprising a plurality of data segments (DS 1 to DS n ) into a plurality of en- 
crypted data blocks (EDB, to EDB n ) and associated control blocks (CB 1 to CB n ), comprising: 

means for selecting for each data segment one of a plurality of encryption functions (Fi to F|); 

means for encrypting for each data segment the data segment using the selected encryption func- 
tion to form an encrypted data segment; 

means for producing for each data segment an encrypted data block comprising the encrypted data 
segment; 

and means for producing for each data segment a control block associated with the encrypted data 
block comprising an indication of the encryption function used to encrypt the data. 

13. A method for decrypting data encrypted from a plurality of data segments (DS, to DS n ) into a plurality of 
encrypted data blocks (EDBi to EDB n ) and associated control blocks to CB n ) using a plurality of en- 
cryption functions (F, to F|), the method comprising the steps of: 

reading a control block and an associated encrypted data block; 

determining an encryption function from the information in the control block used with the asso- 
ciated encrypted data block; 

and decrypting a data segment from the encrypted data block based on the determined encryption 
function. 

14. The method of claim 13, wherein the control block also contains an encryption key for use with the en- 
cryption function. 

15. A system for decrypting data encrypted from a plurality of data segments (DS 1 to DS n ) into a plurality of 
encrypted data blocks (EDBj to EDBn) and associated control blocks (CBi to CB n ) using a plurality of en- 
cryption functions (F t to Fj), the system comprising: 

means for reading a control block and an associated encrypted data block; 

means for determining an encryption function from the information in the control block used with 
the associated encrypted data block; 

and means for decrypting a data segment from the encrypted data block based on the determined 
encryption function. 
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